v3.1.0-rc1

ZLint v3.1.0-rc1

The ZMap team is happy to share ZLint v3.1.0-rc1.

Thank you to everyone who contributes to Zlint; whether it be code, knowledge, wisdom or the grace of all three you are appreciated.

Breaking Changes:

No breaking changes were made in this release.

New Lints:

• e_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth, CABF Baseline Requirements - §4.9.9

  OCSP signing Certificate MUST contain an extension of type id-pkixocsp-nocheck, as defined by RFC6960.

• e_ev_organization_id_missing lint, CABF EV Guidelines v1.7.0 - §9.8.2

  Effective January 31, 2020, if the subject:organizationIdentifier field is present, this [cabfOrganizationIdentifier] field MUST be present.

• e_name_constraint_not_fqdn, RFC 5280 - §4.2.1.10

  For URIs, the constraint MUST be specified as a fully qualified domain name [...] When the constraint begins with a period, it MAY be expanded with one or more labels.

Bug Fixes:

• e_serial_number_longer_than_20_octets has been corrected to count the number of octets taken to represent a serial number after it has been serialized to ASN.1. Since ASN.1 numbers are signed values, serial numbers that are greater-than-or-equal-to 2^160 will begin to fail this lint as they are prefixed with a 0x00 to maintain their positive sign.
• Previously the e_ext_duplicate_extension lint from the lint.RFC5280 source only returned a lint.Error result as soon as one duplicate extension was found in a certificate. It did not indicate which extension OID was duplicated, or if there was more than one duplicated extensions. In this release, the lint now does both of these things. The detail string now indicates all of the extension OIDs that were present more than once.

Misc:

• Updated TLD data (Current to 2020-12-11).
• ZCrypto dependency bumped to 9cf5bea.
• Changed the project style guide to asking that lints have their init function declared near the top of the file as it often contains the most useful information for outside readers.
• Removed an unused utility function.
• Copyright updated to 2021.

Full Changelog

848c50b integration: fix resultCount types to not overflow, update expected vals. (#557)
12bb0ed lints: revert e_key_usage_and_extended_key_usage_inconsistent. (#556)
c1c6681 lints: fix description of e_ext_ian_uri_not_ia5 (#554)
2549ed3 lints: return detail for e_ext_duplicate_extension. (#550)
6dde095 deps: update zcrypto to 9cf5bea (#548)
3094399 tests: coverage for e_name_constraint_not_fqdn detail msgs (#547)
ea23311 lints: move init to start of lint_name_constraint_not_fqdn.go (#544)
6d643b9 project: re-order lint init functions (#536)
edd0d0c lints: adds e_name_constraint_not_fqdn lint (RFC5280 4.2.1.10) (#533)
186e2c1 project: update copyright year to 2021 (#543)
5316fa5 lints: adds e_ev_organization_id_missing lint (CABF EVG 1.7.0 Section 9.8.2) (#532)
b0e20c8 docs: CONTRIBUTING.md updates, couple copyright year tweaks. (#535)
747b41f lints: fix boundary condition in e_serial_number_longer_than_20_octets lint (#527)
3042438 KU and EKU Inconsistent lint correction (#528)
4d0ac7a deps: update zmap/zcrypto to 1eef276 (#529)
b691fe9 Added a new lint and tests for correlation between KU&EKU (#497)
a1b837a deps: update zmap/zcrypto to deeac00. (#526)
9e16bfc util: remove unused ICANNPublicSuffixParse helper. (#525)
f47c9d6 CI: Cleanup hacky tld-update workflow env var use. (#524)
d8314a3 CI: Have tld-update workflow build & test pre-PR. (#521)
83f15ca util: gtld_map autopull updates for 2020-12-11T05:27:56 UTC (#520)
b6e5ba7 util: gtld_map autopull updates for 2020-12-08T18:31:14 UTC (#518)
1eb11ce Ocsp eku check for tls certificates (#490)
662504d change tld updator to not be me (#516)
931c5d4 util: gtld_map autopull updates for 2020-11-30T23:23:57 UTC (#514)
12dfc18 CI: Add cron workflow for gTLD update PRs. (#513)

v3.0.0

ZLint v3.0.0

The ZMap team is happy to share ZLint v3.0.0. Above bugfixes and new lints this major release also has a few breaking changes from v2.x.x that we want to draw to your attention.

Breaking Changes:

• w_dnsname_wildcard_left_of_public_suffix and w_san_iana_pub_suffix_empty have been demoted from warnings to notices and renamed accordingly (n_dnsname_wildcard_left_of_public_suffix and n_san_iana_pub_suffix_empty).
• The e_tls_server_cert_valid_time_longer_than_398_days lint now only returns an error finding for certs exceeding the 398 lifetime. The warning result previously returned for exceeding the 397 day lifetime suggestion is now a separate w_tls_server_cert_valid_time_longer_than_397_days lint.
• The lint.AppleCTPolicy lint source was renamed to lint.AppleRootStorePolicy.
• The lint.AWSLabs and lint.ZLint lint sources were combined into one new lint source lint.Community.

New Lints:

• w_tls_server_cert_valid_time_longer_than_397_days - see breaking change notes above.

Bug Fixes:

• Previously n_san_iana_pub_suffix_empty could only flag one DNS name in a certificate and would potentially return NA for certificates with one or more names that fail to be parsed by publicsuffix-go. It now handles both cases correctly.
• Removed testdata/QcStmtEtsiQcComplWithNonEmptyStmtInfoCert19.pem and test case. Updated Go 1.15/ZCrypto throw a parse error for this test case now that they are QcStatement aware.

Misc:

• Project and releases now built with Go 1.15.x
• Updated TLD data (Current to 2020-11-21).
• Integration test failures now include error/warning/info overviews.
• ZCrypto dependency bumped to latest commit.
• Project CI converted from Travis CI to Github Actions.

Full Changelog

fe65bae project: bump major version to 3.0.0 (#510)
0d48ea1 lint: combine ZLint and AWSLabs Sources into Community. (#509)
8dc66d0 Update to Go 1.15, latest , fix n_san_iana_pub_suffix_empty. (#508)
da00f3f CI: Switch from Travis to Github Actions. (#505)
7f7ef1f lints: split Apple cert lifetime lint per-result. (#506)
c42a358 lint: rename Source AppleCTPolicy -> AppleRootProgramPolicy (#501)
71e2966 gTLD autopull: 2020-11-21T16:05:09Z (#498)
29b3fa9 Update Contributing Guidelines (#495)
e2b3658 make two lints notice instead of warn, (#493)
7b54a38 Improve readability of "EKU" abbreviation (#489)
f46d09c tests: include error/warning/info overview for integration test failures (#488)
cca4a6b gTLD autopull: 2020-10-19T15:48:38Z (#487)

v3.0.0-rc1

ZLint v3.0.0-rc1

The ZMap team is happy to share ZLint v3.0.0-rc1. Above bugfixes and new lints this major release candidate also has a few breaking changes from v2.x.x that we want to draw to your attention.

Breaking Changes:

• w_dnsname_wildcard_left_of_public_suffix and w_san_iana_pub_suffix_empty have been demoted from warnings to notices and renamed accordingly (n_dnsname_wildcard_left_of_public_suffix and n_san_iana_pub_suffix_empty).
• The e_tls_server_cert_valid_time_longer_than_398_days lint now only returns an error finding for certs exceeeding the 398 lifetime. The warning result previously returned for exceeding the 397 day lifetime suggestion is now a separate w_tls_server_cert_valid_time_longer_than_397_days lint.
• The lint.AppleCTPolicy lint source was renamed to lint.AppleRootStorePolicy.
• The lint.AWSLabs and lint.ZLint lint sources were combined into one new lint source lint.Community.

New Lints:

• w_tls_server_cert_valid_time_longer_than_397_days - see breaking change notes above.

Bug Fixes:

• Previously n_san_iana_pub_suffix_empty could only flag one DNS name in a certificate and would potentially return NA for certificates with one or more names that fail to be parsed by publicsuffix-go. It now handles both cases correctly.
• Removed testdata/QcStmtEtsiQcComplWithNonEmptyStmtInfoCert19.pem and test case. Updated Go 1.15/ZCrypto throw a parse error for this test case now that they are QcStatement aware.

Misc:

• Project and releases now built with Go 1.15.x
• Updated TLD data (Current to 2020-11-21).
• Integration test failures now include error/warning/info overviews.
• ZCrypto dependency bumped to latest commit.
• Project CI converted from Travis CI to Github Actions.

Full Changelog

fe65bae project: bump major version to 3.0.0 (#510)
0d48ea1 lint: combine ZLint and AWSLabs Sources into Community. (#509)
8dc66d0 Update to Go 1.15, latest , fix n_san_iana_pub_suffix_empty. (#508)
da00f3f CI: Switch from Travis to Github Actions. (#505)
7f7ef1f lints: split Apple cert lifetime lint per-result. (#506)
c42a358 lint: rename Source AppleCTPolicy -> AppleRootProgramPolicy (#501)
71e2966 gTLD autopull: 2020-11-21T16:05:09Z (#498)
29b3fa9 Update Contributing Guidelines (#495)
e2b3658 make two lints notice instead of warn, (#493)
7b54a38 Improve readability of "EKU" abbreviation (#489)
f46d09c tests: include error/warning/info overview for integration test failures (#488)
cca4a6b gTLD autopull: 2020-10-19T15:48:38Z (#487)

v2.2.1

The ZMap team is happy to share ZLint v2.2.1. This minor release primarily includes a fix for a security vulnerability in a dependency. We encourage anyone using ZLint on untrusted certificate inputs to upgrade.

Bug Fixes:

• golang.org/x/text dependency bumped to v0.3.3 to address CVE-2020-14040.

Misc:

• Better error message from test/helpers.go's ReadTestCert helper in the case where an input certificate causes a panic during parse.
• Updated TLD data (Current to 2020-10-08).

Full Changelog

6b73243 deps: bump golang.org/x/text to 0.3.3 to fix CVE-2020-14040 (#481)
f7543c7 Improve error message of ReadTestCert panic (#478)
c16b5bd README: Add Nexus CM to list of users/integrations (#477)
def029d misc: gitignore Visual Studio Code configuration files (#485)
1fd4782 README: Correction of link to Siemens PKI (#486)
5ed7e13 gTLD autopull: 2020-10-08T15:44:26Z (#484)

v2.2.1-rc1

The ZMap team is happy to share a v2.2.1 release candidate. This minor release primarily includes a fix for a security vulnerability in a dependency. We encourage anyone using ZLint on untrusted certificates to upgrade.

Bug Fixes:

• golang.org/x/text dependency bumped to v0.3.3 to address CVE-2020-14040.

Misc:

• Better error message from test/helpers.go's ReadTestCert helper in the case where an input certificate causes a panic during parse.

Changelog

6b73243 deps: bump golang.org/x/text to 0.3.3 to fix CVE-2020-14040 (#481)
f7543c7 Improve error message of ReadTestCert panic (#478)
c16b5bd README: Add Nexus CM to list of users/integrations (#477)

v2.2.0

ZLint v2.2.0

The ZMap team is happy to share ZLint v2.2.0. This minor release primarily includes bug fixes and new lints.

New Lints:

• New RFC 5280 Lints

  • e_cert_sig_alg_not_match_tbs_sig_alg to verify tbsCertificate algorithm matches certificate's signature algorithm.

• New CA/Browser Forum Lints:

  • e_san_dns_name_onion_invalid to validate .onion certificate subject addresses are well-formed.

Updated Lints:

• e_ext_tor_service_descriptor_hash_invalid updated for Ballot SC27 to only require the extension for EV certificates.

Removed Lints:

• e_sub_ca_aia_does_not_contain_ocsp_url, as of Ballot SC31 this lint is no longer required.

Command Line Utility Updates:

• -summary and -longSummary command line flags added to zlint utility for presenting lint results in a human-readable tabular form.

Bug Fixes:

• lint_ev_valid_time_too_long maximum validity calculation fixed and source/citation/package corrected to CABF EV Guidelines.
• e_ev_business_category_missing, e_ev_country_name_missing, e_ev_organization_name_missing, and e_ev_serial_number_missing source/citation/package corrected to CABF EV Guidelines.
• e_tls_server_cert_valid_time_longer_than_398_days fixed to not apply to CA certificates.
• e_tls_server_cert_valid_time_longer_than_398_days fixed off-by-one calculation of validity period.

Misc:

• README updates.
• Updated ZCrypto dependency (Added QCStatement support).
• Updated TLD data (Current to 2020-09-08).

Full Changelog

aa4e261 autopull: 2020-09-08T15:28:12Z (#470)
2b994a7 Align Validity Period definition with RFC 5280 (#469)
f20a717 CONTRIBUTING: Add notes on publishing a release. (#468)
e1a9412 Add citation for sub-CAs to ca_digital_signature_not_set (#464)
9ab0643 Ballot SC31 makes OCSP optional for intermediate certificates. (#463)
3f689d2 README to suggest checking x509.ParseCertificate error (#460)
ada0991 autopull: 2020-07-29T15:10:15Z (#459)
6d02ef7 tests: add NA test case for e_tls_server_cert_valid_time_longer_than_398_days (#457)
34310bd this lint shouldn't apply to CA certs (#456)
ca9532d Create options for human-readable output formats (#437)
5f05d1d gTLD autopull: 2020-07-18T15:05:07Z (#455)
a9b0032 gTLD autopull: 2020-06-27T14:52:30Z (#452)
f530e42 docs: add Entrust Datacard to README ZLInt users. (#451)
d4acbba lints: cabf_br lint to verify .onion addresses are well-formed (#450)
84a8a20 Fix .onion tests to only apply to EV certificates (#449)
ecf8678 Move EV-specific tests to cabf_ev (#445)
c820d95 Fix the EV validity check (#447)
37a03da docs: correct link to integration test documentation (#446)
ce1631b autopull: 2020-06-03T14:39:17Z (#444)
de9eafb Check tbsCertificate signature algorithm matches certificate (#436)
82e1f43 gTLD autopull: 2020-05-28T14:35:00Z (#442)
da06a3a autopull: 2020-05-27T14:34:02Z (#441)
9957909 Deps: Update ZCrypto, fix assoc. test breakage. (#435)
a42b778 ci: remove vendor dir, Go 1.13.x -> 1.14.x, fix integration test data (#432)
bb6c7a7 docs: add ZLint announcements mailing list to README (#431)
ee0c915 Adding mailing list link to README.
2b994a7 Align Validity Period definition with RFC 5280 (#469)
f20a717 CONTRIBUTING: Add notes on publishing a release. (#468)

v2.2.0-rc2

ZLint v2.2.0-rc2

The ZMap team is happy to share a v2.2.0 release candidate 2. This minor release primarily includes bug fixes and new lints.

New Lints:

• New RFC 5280 Lints

  • e_cert_sig_alg_not_match_tbs_sig_alg to verify tbsCertificate algorithm matches certificate's signature algorithm.

• New CA/Browser Forum Lints:

  • e_san_dns_name_onion_invalid to validate .onion certificate subject addresses are well-formed.

Updated Lints:

• e_ext_tor_service_descriptor_hash_invalid updated for Ballot SC27 to only require the extension for EV certificates.

Removed Lints:

• e_sub_ca_aia_does_not_contain_ocsp_url, as of Ballot SC31 this lint is no longer required.

Command Line Utility Updates:

• -summary and -longSummary command line flags added to zlint utility for presenting lint results in a human-readable tabular form.

Bug Fixes:

• lint_ev_valid_time_too_long maximum validity calculation fixed and source/citation/package corrected to CABF EV Guidelines.
• e_ev_business_category_missing, e_ev_country_name_missing, e_ev_organization_name_missing, and e_ev_serial_number_missing source/citation/package corrected to CABF EV Guidelines.
• e_tls_server_cert_valid_time_longer_than_398_days fixed to not apply to CA certificates.
• e_tls_server_cert_valid_time_longer_than_398_days off by one second fix

Misc:

• README updates.
• Updated ZCrypto dependency (Added QCStatement support).
• Updated TLD data (Current to 2020-07-29).

Full Changelog

e1a9412 Add citation for sub-CAs to ca_digital_signature_not_set (#464)
9ab0643 Ballot SC31 makes OCSP optional for intermediate certificates. (#463)
3f689d2 README to suggest checking x509.ParseCertificate error (#460)
ada0991 autopull: 2020-07-29T15:10:15Z (#459)
6d02ef7 tests: add NA test case for e_tls_server_cert_valid_time_longer_than_398_days (#457)
34310bd this lint shouldn't apply to CA certs (#456)
ca9532d Create options for human-readable output formats (#437)
5f05d1d gTLD autopull: 2020-07-18T15:05:07Z (#455)
a9b0032 gTLD autopull: 2020-06-27T14:52:30Z (#452)
f530e42 docs: add Entrust Datacard to README ZLInt users. (#451)
d4acbba lints: cabf_br lint to verify .onion addresses are well-formed (#450)
84a8a20 Fix .onion tests to only apply to EV certificates (#449)
ecf8678 Move EV-specific tests to cabf_ev (#445)
c820d95 Fix the EV validity check (#447)
37a03da docs: correct link to integration test documentation (#446)
ce1631b autopull: 2020-06-03T14:39:17Z (#444)
de9eafb Check tbsCertificate signature algorithm matches certificate (#436)
82e1f43 gTLD autopull: 2020-05-28T14:35:00Z (#442)
da06a3a autopull: 2020-05-27T14:34:02Z (#441)
9957909 Deps: Update ZCrypto, fix assoc. test breakage. (#435)
a42b778 ci: remove vendor dir, Go 1.13.x -> 1.14.x, fix integration test data (#432)
bb6c7a7 docs: add ZLint announcements mailing list to README (#431)
ee0c915 Adding mailing list link to README.
2b994a7 Align Validity Period definition with RFC 5280 (#469)
f20a717 CONTRIBUTING: Add notes on publishing a release. (#468)

v2.2.0-rc1

ZLint v2.2.0-rc1

The ZMap team is happy to share a v2.2.0 release candidate. This minor release primarily includes bug fixes and new lints.

New Lints:

• New RFC 5280 Lints

  • e_cert_sig_alg_not_match_tbs_sig_alg to verify tbsCertificate algorithm matches certificate's signature algorithm.

• New CA/Browser Forum Lints:

  • e_san_dns_name_onion_invalid to validate .onion certificate subject addresses are well-formed.

Updated Lints:

• e_ext_tor_service_descriptor_hash_invalid updated for Ballot SC27 to only require the extension for EV certificates.

Removed Lints:

• e_sub_ca_aia_does_not_contain_ocsp_url, as of Ballot SC31 this lint is no longer required.

Command Line Utility Updates:

• -summary and -longSummary command line flags added to zlint utility for presenting lint results in a human-readable tabular form.

Bug Fixes:

• lint_ev_valid_time_too_long maximum validity calculation fixed and source/citation/package corrected to CABF EV Guidelines.
• e_ev_business_category_missing, e_ev_country_name_missing, e_ev_organization_name_missing, and e_ev_serial_number_missing source/citation/package corrected to CABF EV Guidelines.
• e_tls_server_cert_valid_time_longer_than_398_days fixed to not apply to CA certificates.

Misc:

• README updates.
• Updated ZCrypto dependency (Added QCStatement support).
• Updated TLD data (Current to 2020-07-29).

Full Changelog

e1a9412 Add citation for sub-CAs to ca_digital_signature_not_set (#464)
9ab0643 Ballot SC31 makes OCSP optional for intermediate certificates. (#463)
3f689d2 README to suggest checking x509.ParseCertificate error (#460)
ada0991 autopull: 2020-07-29T15:10:15Z (#459)
6d02ef7 tests: add NA test case for e_tls_server_cert_valid_time_longer_than_398_days (#457)
34310bd this lint shouldn't apply to CA certs (#456)
ca9532d Create options for human-readable output formats (#437)
5f05d1d gTLD autopull: 2020-07-18T15:05:07Z (#455)
a9b0032 gTLD autopull: 2020-06-27T14:52:30Z (#452)
f530e42 docs: add Entrust Datacard to README ZLInt users. (#451)
d4acbba lints: cabf_br lint to verify .onion addresses are well-formed (#450)
84a8a20 Fix .onion tests to only apply to EV certificates (#449)
ecf8678 Move EV-specific tests to cabf_ev (#445)
c820d95 Fix the EV validity check (#447)
37a03da docs: correct link to integration test documentation (#446)
ce1631b autopull: 2020-06-03T14:39:17Z (#444)
de9eafb Check tbsCertificate signature algorithm matches certificate (#436)
82e1f43 gTLD autopull: 2020-05-28T14:35:00Z (#442)
da06a3a autopull: 2020-05-27T14:34:02Z (#441)
9957909 Deps: Update ZCrypto, fix assoc. test breakage. (#435)
a42b778 ci: remove vendor dir, Go 1.13.x -> 1.14.x, fix integration test data (#432)
bb6c7a7 docs: add ZLint announcements mailing list to README (#431)
ee0c915 Adding mailing list link to README.

v2.1.0

ZLint v2.1.0

The ZMap team is happy to announce the v2.1.0 release. This minor release primarily includes bug fixes and new lints.

New Lints

• New CABF Baseline Requirements Lint
  • e_ext_nc_intersects_reserved_ip
• New Mozilla PKI Policy Lints
  • e_mp_rsassa-pss_in_spki
  • e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct
  • e_mp_ecdsa_pub_key_encoding_correct
  • e_mp_ecdsa_signature_encoding_correct
• New Apple PKI Policy Lints
  • e_tls_server_cert_valid_time_longer_than_398_days

Bug Fixes

• The 2001:5::/32 network was removed from reserved networks list since it is no longer IANA reserved.

Misc

• Updated TLD data (Current to 2020-04-02).
• README updates.
• CI test for ensuring OpenSSL text prepend of test cert data.

Full Changelog

1e160b1 ci: update goreleaser install URL. (#429)
3bf4bbf lints: enforce Mozilla PKI policy for ECDSA pubkey/sig alg curves/encoding. (#378)
206df7d gTLD autopull: 2020-04-02T17:35:25Z (#425)
d933f03 autopull: 2020-03-28T17:34:11Z (#423)
4ca0695 Fix spelling of 'distinguished' in lint descriptions (#422)
94d7dde util: rewrite test/prepend_testcerts_openssl.sh, update testdata (#421)
83d24bd lints: lint for upcoming Apple max cert lifetime policy. (#417)
cfbfdec gTLD autopull: 2020-03-14T17:26:52Z (#420)
c7c6a31 lints: enforce Mozilla PKI policy RSASSA-PSS encoding requirements (#377)
b28794b docs: fix template to use v2 package import. (#416)
1968515 lints: disallow reserved iPAddresses in NCs (#414)
48bf6ee remove lisp reserved range since no longer IANA reserved (#415)
3329bb6 README: fix a typo and fix the example for LintCertificateEx (#409)
5b2df5c lints: enforce Mozilla PKI policy omission of id-RSASSA-PSS oid (#376)

v2.1.0-rc1

ZLint v2.1.0

The ZMap team is proud to share a v2.1.0 release candidate. This minor release primary includes bug fixes and new lints.

New Lints

• New CABF Baseline Requirements Lint
  • e_ext_nc_intersects_reserved_ip
• New Mozilla PKI Policy Lints
  • e_mp_rsassa-pss_in_spki
  • e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct
  • e_mp_ecdsa_pub_key_encoding_correct
  • e_mp_ecdsa_signature_encoding_correct
• New Apple PKI Policy Lints
  • e_tls_server_cert_valid_time_longer_than_398_days

Bug Fixes

• The 2001:5::/32 network was removed from reserved networks list since it is no longer IANA reserved.

Misc

• Updated TLD data (Current to 2020-04-02).
• README updates.
• CI test for ensuring OpenSSL text prepend of test cert data.

Full Changelog

1e160b1 ci: update goreleaser install URL. (#429)
3bf4bbf lints: enforce Mozilla PKI policy for ECDSA pubkey/sig alg curves/encoding. (#378)
206df7d gTLD autopull: 2020-04-02T17:35:25Z (#425)
d933f03 autopull: 2020-03-28T17:34:11Z (#423)
4ca0695 Fix spelling of 'distinguished' in lint descriptions (#422)
94d7dde util: rewrite test/prepend_testcerts_openssl.sh, update testdata (#421)
83d24bd lints: lint for upcoming Apple max cert lifetime policy. (#417)
cfbfdec gTLD autopull: 2020-03-14T17:26:52Z (#420)
c7c6a31 lints: enforce Mozilla PKI policy RSASSA-PSS encoding requirements (#377)
b28794b docs: fix template to use v2 package import. (#416)
1968515 lints: disallow reserved iPAddresses in NCs (#414)
48bf6ee remove lisp reserved range since no longer IANA reserved (#415)
3329bb6 README: fix a typo and fix the example for LintCertificateEx (#409)
5b2df5c lints: enforce Mozilla PKI policy omission of id-RSASSA-PSS oid (#376)